Legal requirements regarding personnel files are set forth in Labor Law no. 4857, where article 75 obligates employers to keep personnel files containing information and documents of employees. Indeed, article 104 of the Law imposes administrative fines on employers who fail to keep personnel files. Personnel files contain an employer’s records on an employee’s identity information, education, health, military service status, residence, etc., and the information and documents in them are legally protected under the Personal Data Protection Law (“KVKK”). The KVKK imposes serious obligations on the employer for the processing of employees’ personal data, requiring them to process only the information required for the relevant job and to store the data in a secure environment. Data processing performed without complying with the procedures and principles in the Law will constitute a breach of personal data. Therefore, any information contained in a personnel file should be processed in accordance with the KVKK. The protection of personal data in personnel files is analyzed from various aspects below.
Processing, Storage and Destruction of Personal Data in Personnel Files
The information in personnel files may only be processed for “specified, explicit and legitimate purposes in compliance with the principles of lawfulness and fairness” pursuant to article 4 of the KVKK. The employer must collect such data by ensuring that they are “relevant, limited and proportionate to the purposes for which they are processed” and process only those that serve the requirements of the relevant job. The data in personnel files should be stored in a secure environment and only accessed by authorized people.
As per article 7 of the KVKK, employers must destroy data when the retention period has expired, and the processing is no longer necessary. Moreover, the “Regulation on Erasure, Destruction or Anonymization of Personal Data” and the “Personal Data Retention and Destruction Policy of the Personal Data Protection Authority” require employers to erase, destroy or anonymize data when their processing is no longer needed or they become unnecessary with the expiration of the maximum period required for the retention of personal data after the termination of the employment agreement, in accordance with the relevant regulation.
Protection and Processing of Health Data
Health data are treated under “special categories of personal data” pursuant to article 6 of the KVKK, and their processing requires explicit consent. They provide information on the health of an employee, including the results of their medical examinations performed at hiring and at regular intervals, and they should only be collected by a workplace physician or authorized health personnel. Indeed, the decisions of the Personal Data Protection Board indicate that a workplace physician may process health data within the limits of their duties stipulated in the legislation, provided that the data controllers take adequate measures in the processing of special categories of personal data.
Employers are responsible for taking care of the health of their employees against any occupational health and safety risks. A workplace physician may examine an employee’s health at hiring, upon job changes, after work accidents or occupational health issues if requested, or periodically based on job or enterprise hazard level, with a report prepared after each examination. Employers are also responsible for ensuring that health data are collected purposefully and proportionally, limited only to the information required by the job, depending on the nature of the work to be performed, and that they are processed with the consent of the employee.
As for the protection of health data, the employee’s examination forms, medical reports and all other health data must be kept by the workplace physician, not in the personnel file, and must remain inaccessible to others to prevent breaches of data privacy and security.
Can Criminal Records Be Kept in Personnel Files?
Information on a person’s criminal conviction is grouped under special categories of personal data. Therefore, pursuant to article 6 of the KVKK, criminal records may be processed only when “explicitly required by law”, “with the data subject’s explicit consent”, or in other cases specified by the law.
Some regulations allow or even require obtaining criminal records in certain fields or positions (security guards, personnel working in private educational institutions, etc.). However, these regulations are exceptions and, as a rule, employers may only process the criminal records of their employees after obtaining their explicit consent. Therefore, unless specifically provided for in the laws, employees’ criminal records may not be lawfully processed without their explicit consent. Moreover, when obtaining their explicit consent, the personnel should be informed that their decision to give explicit consent will not affect the outcome of their job application or their employment and that they can withdraw their explicit consent at any time and without any conditions. In addition, the data should be stored with adequate measures as specified by the Personal Data Protection Board and destroyed within the relevant period.
Conclusion
Employers’ obligations to process employees’ personal data only when necessary for their jobs and to take all technical and administrative data security measures help protect personnel file data and foster a reliable work environment.
The retention and destruction of personnel files hold great significance for employers as these files contain a large number of general and special categories of personal data. Thus, employers must process data measuredly by respecting the data processing purposes and limits stipulated in the Law, abide by the principles given in the Law and other legislation, take the necessary measures in the retention of personnel files and comply with the destruction policy at the end of the relevant period. Legal guidance is vital for the diligent completion of each step of the process without any breaches. In addition, employee awareness by way of in-house training may help avoid administrative fines that may arise from breaches of obligations under the KVKK.
